Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 921
  • Last Modified:

How can I stop warning re mysterious trojan or clean my PC of mchinjdrv.sys?

Recently my AVG software has reported on startup that a trojan threat has been detected in c:\windows\system32\drivers\mchinjdrv.sys.

I've done some research and some say that this is a legit thing and others say it is indeed a trojan threat.  When the warning appears I can choose to Heal but it can't find the file so can't heal it.  I can choose to move it to the Virus Vault but as it can't find it there's nothing to move.  If I choose to Ignore it the box goes away but reappears again on startup.

Regedit won't let me chop the Legacy entries out of the registry and a search of the whole PC (including hidden files) can't find this file either.  I've run a full AVG virus scan and that comes up clean as do scans with Advanced WIndowsCare, RegCure, XsoftSpy and a scanner I tried from Sophos which claimed to search for hidden rootkits.

I've seen a similar issue reported in EE and it mentions something called Rootkit Unlocker (or something like that) but when I looked in to that there was some doubt about it as someone alleged that this software added something to the system to defend against it ever being removed so in a way that's almost as bad as this current possible security risk.

The only way I can see to rid myself of this dialog is to add an exclusion in AVG not to reference systems32\drivers when it starts up which is convenient but hardly secure.

Can anyone advise on how I can get rid of this thing?  Whether it's legit or not, if it poses a threat I'd rather not have it hanging around!  I'm running XP inc SP3 and all latest patches and AVG v8.

Thanks in advance.
0
funasset
Asked:
funasset
1 Solution
 
JoWickermanCommented:
Hi,

Try the following:

Download process explorer from any site. (ProcessExplorer.zip)
Run Process Explorer
Find the process mchinjdrv.sys tree
Kill tree
Go to dos prompt
c:\> dir /S /AH /L mchinj*.sys
If you find the file:
attrib -s -h -r mchinjdrv.sys
rename mchinjdrv.sys mchinjdrv.old

Delete mchinjdrv.old

I think this should work.

Let me know,
Cheers.
0
 
MattRichardsonCommented:
0
 
funassetAuthor Commented:
Thanks - I'll look in to both of these when I get home.

I'll get back to you!
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
funassetAuthor Commented:
Nope.  Tried the ProcessExplorer and there was no entry for mchinjdrv.sys and it didn't show up in DOS using the search either.  I'm mystified as to where this damned thing is!!
0
 
ThinkSmartIncCommented:
I did some digging for you on this issue. mchinjdrv.sys is for MadCodeHook Injection Driver.  It is used in programs like Spy Sweeper to do injection tests in order to catch malicious code.  Unfortunately, the way it's loaded is that the file is dropped just long enough to load into memory and then is deleted, hence why you can never locate it.  If you are using Spy Sweeper, I'd recommend putting it into your exemption list, or use another Anti-Spyware program.  Below are a couple of sites that you can check out to give you more information regarding mchinjdrv.sys:

http://forums.comodo.com/virusmalware_removal_assistance/mchinjdrvsys-t9257.0.html

http://www.wilderssecurity.com/showthread.php?t=47024
0
 
funassetAuthor Commented:
Thanks for the links and I appreciate the digging.  It's a pesky little so-and-so isn't it.

It's AVG's Resident Shield that complains about it - I guess a recent signature update is why it's suddenly picking it up.  The trouble is that as far as I can see I can't add this specific file reference to it's exceptions list.  I can only add the path so that will mean telling AVG not to look in the whole system32\drivers directory which doesn't seem safe to me.  

I thought AVG was one of best AV/anti-spam tools around so if I have to replace it in order to get rid of this warning I'm not entirely sure what to put in it's place.  I can't find an email address or URL to contact the makers of AVG directly either so that I can pick their brains.  Tricky.

0
 
ThinkSmartIncCommented:
You can go to http://www.avg.com/support-technical and enter your license from AVG to get support.
0
 
funassetAuthor Commented:
Thanks.  In the past couple of days the warning hasn't appeared on startup 9 out of 10 times - why it appears on the other 1 occasion I really don't know.  I've scanned my PC with everything I can get my hands on and all reports indicate no infection so although this hook can be used by nasty hackers who need to get out more, it would seem that in this instance it is indeed a false positive and I'll have to contact AVG.

I appreciate your help.

Cheers.
0
 
funassetAuthor Commented:
Many thanks for your efforts.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now